Jumping Into Twitter, Despite the Security Risks

I joined Twitter today. Not because I want to bore the entire world with 140-character updates of my personal life several times a day (isn’t that what Facebook is for?)—but because all the Windows IT Pro editors are getting increasingly involved in social media and social networking. Twitter is a great tool to quickly and easily spread the word about industry news, promote upcoming events, highlight newly live articles on our websites, and just generally connect with our readers.

Of course the downside (other than the bazillion tweets to sift through every day) is that every new technology comes with inherent security risks. Just this week, Twitter fell victim to a hack that affected hundreds of thousands of users. Hackers exploited a security flaw on the site that let them tweet and retweet malicious code, activate popups, and even expose users to hard-core pornography.

According to a blog post on Twitter’s own site, the security exploit was caused by cross-site scripting (XSS): Malicious users submitted JavaScript code as plain text into tweets that could be executed in other users’ browsers. When a user moused over a link in a malicious tweet, the text changed color and a pop-up text box appeared. In some cases the malicious tweets were automatically retweeted, without users’ knowledge.

Although the hacks didn’t harm any computers or accounts, and no user information was compromised, the security hole is being seen as a major oversight on Twitter’s part. According to Sophos senior technology consultant Graham Cluley, Twitter should have flagged this security flaw itself. “It shouldn’t be possible to plant JavaScript code like this into your tweets,” he said. He also pointed out the obvious potential for hackers to redirect users to third-party websites that contain malicious code.

Twitter claims to have discovered and patched the same issue last month. However, a recent site update resurfaced the hole, and malicious users were quick to jump on it. One of the most notably (and embarrassingly) hacked feeds was that of Sarah Brown, the wife of former British Prime Minister Gordon Brown—her feed was temporarily redirected to a hard-core porn site based in Japan. (So much for British dignity!)

The hack affected only Twitter.com—not Twitter’s mobile website or mobile applications. In addition, third-party applications that access Twitter, such as TweetDeck, weren’t affected by the hack. (Of course I’m using TweetDeck to access my shiny new Twitter account! Follow me on Twitter at @LavonPeters)